From c99df1c310d7ba7a9fbe9026646f8a951b1596c9 Mon Sep 17 00:00:00 2001 From: vpl Date: Mon, 26 Aug 2019 20:22:04 +0200 Subject: [PATCH] Compare token using crypto::ct_eq --- src/api/core/two_factor/email.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/api/core/two_factor/email.rs b/src/api/core/two_factor/email.rs index 1986f816..8491a5b9 100644 --- a/src/api/core/two_factor/email.rs +++ b/src/api/core/two_factor/email.rs @@ -181,7 +181,7 @@ fn email(data: JsonUpcase, headers: Headers, conn: DbConn) -> JsonRes _ => err!("No token available"), }; - if issued_token != &data.Token { + if !crypto::ct_eq(issued_token, data.Token) { err!("Token is invalid") } @@ -206,7 +206,7 @@ pub fn validate_email_code_str(user_uuid: &str, token: &str, data: &str, conn: & _ => err!("No token available"), }; - if issued_token != &*token { + if !crypto::ct_eq(issued_token, token) { email_data.add_attempt(); if email_data.attempts >= CONFIG.email_attempts_limit() { email_data.reset_token();